Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 23:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe
-
Size
156KB
-
MD5
a1237ecaf874dde0ec172eb3a4e37904
-
SHA1
f0f58bb89b0b48c8ee1f5ad34bed71ca6eb9e8b4
-
SHA256
85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5
-
SHA512
35cad8d0b8bf1d43be7bfdb2f0f0e315a0f5294fe9dbffd511dbd5b40657c17b7e02753ab9e5467a991cff1cb6d53f9ba98c1981f60e60ff4bbea4d81b7d78c0
-
SSDEEP
3072:cNGoe5g+GwD8w2+d5bWIrJ4E5n41sSLeH8ozK/d/18UlyciE5j4oQh:cN2WIrJ4E5n41pVN/jhhd
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hoebi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe -
Executes dropped EXE 1 IoCs
pid Process 3216 hoebi.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /B" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /j" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /C" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /c" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /p" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /X" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /P" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /M" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /Y" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /w" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /T" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /q" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /t" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /b" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /V" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /e" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /J" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /x" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /W" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /G" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /v" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /h" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /l" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /z" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /R" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /o" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /a" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /m" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /L" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /N" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /Z" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /n" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /Q" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /H" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /i" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /m" 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /r" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /O" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /A" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /k" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /u" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /s" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /F" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /g" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /y" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /U" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /f" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /K" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /S" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /E" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /D" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /I" hoebi.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoebi = "C:\\Users\\Admin\\hoebi.exe /d" hoebi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3476 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe 3476 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe 3216 hoebi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3476 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe 3216 hoebi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3476 wrote to memory of 3216 3476 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe 90 PID 3476 wrote to memory of 3216 3476 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe 90 PID 3476 wrote to memory of 3216 3476 85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe"C:\Users\Admin\AppData\Local\Temp\85744fbaafa03ae35b85a953b3b2bba8dda9ccb0319652bacc7717622fe03dd5.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\hoebi.exe"C:\Users\Admin\hoebi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5e4a789a19610990b23fde7f008bfdf1e
SHA1e81c0eb015092e21335d4143a72035c9b0f2a2b5
SHA256b3f829fd68b7a67f7d5e3bcd752204d558ebf617c4a89a00c7630dc68294ae10
SHA512768018c7b46e1fee54878d83cf35828d9c24e531f70f2fd5e52b08ff75a07f9ccfea3cf7ca75034d9addce66bbc0d77d493fd40c829af03314026fd69d8255ac